Re: use signed git tags to verify upstream tarball
On 21/08/15 11:12, Thomas Koch wrote: > Sometimes we are lucky and upstream uses signed git tags. That still does not > help us to verify the orig.tar.gz. It can however still be very useful. > Hi Thomas, In case you're intrested, I've tried to reproduce a "git archive" style tarball (for example, as generated by github) from a gpg-signed tag. This should at least imply some kind of trust. Basically do (assuming you have some WOT toward the signer's key) (1) git clone (2) git tag --verify v1.31 (3) git archive v1.31 --prefix="projectname-1.31/" --format=tar | gzip -n > projectname-1.31.tar.gz The produced tarball will be exactly the same as the github-generated tarball, so if you use this as .orig.tar.gz, embedding the checksum into your signed debian-changes file, you can use github's mirror safely and should not have to worry about man-in-the-middle attacks. Since you now have a direct correlation between signed+verified tag and (locally, on your trusted system, regenerated) orig.tar.gz from this very tag, does this help? - Danny
Re: Automated download/update of data files
On 25/08/15 09:44, Ole Streicher wrote: > What is the best way to keep these data up to date in Debian? An > automated process as written in the pull request [1] is probably not the > right way, since it is a potential privacy violation. Hi Ole, I wouldnt say that it' automatically bad to download current data on a regular basis, as long as the system administrator *agreed* to do automated downloads / have the computer talk to the outside world. >From a system administrator's point of view, the following would be all right to me: * When you install the package, debconf asks if you want the automated upgrades, preferably telling me how often its going to download them and information about the source. (And I know I can always change my mind later with dpkg --reconfigure packagename, although this could be explicitly stated in the dialog). Take a look at "dpkg-reconfigure popularity-contest" for an example. * The choice is stored in /etc/packagename.conf or similar. A comment informing that "dpkg-reconfigure packagename" is the easy way to edit the file might be nice. * The package installs a cronjob that does loads the configuration file, and depening on whether auto-downloads are allowed, does the actual downloading/verification/installing of the files or simply does nothing. Since this rests on the system administrator being informed about what the system will do, and giving an explicit OK, I would not consider it a privacy violation. I don't know how complicated this is to implement, but do you think it could be a good design rationale? - Danny
Re: Need help in downgrading evolution
On 27/08/15 09:22, Svante Signell wrote: > Any ideas how to proceed until bug #795287 is closed? Hi Svante, Since you can't install the pre-regression binary (since it links against the pre-gcc5-transition libs), maybe you'll have more luck grabbing the old source code and building (older) evolution against the libraries currently in sid (although I don't know what we would call it, maybe Forwardporting?) Take a look at https://wiki.debian.org/SimpleBackportCreation and https://wiki.debian.org/BuildingFormalBackports for the whole process, but basically it comes down to: sudo apt-get install devscripts equivs dget -x http://debianmirror/evolution_oldversion.dsc cd evolution_oldversion sudo mk-build-deps --install --remove debuild -uc -us sudo dpkg -i ../binaryOne.deb ../binaryTwo.deb ../binaryThree.deb (If you simply want to install *all* binaries, you can call "sudo debi" instead of "dpkg -i one.deb two.deb three.deb") - Danny
Bug#812885: general: Bluetooth doesn't work
On 01/27/2016 04:49 PM, justysia wrote: > [12.695075] bluetooth hci0: firmware: failed to load > brcm/BCM43142A0-4ca-2009.hcd (-2) > Please help me fix it. > Best regards, > Justysia Hello Justysia, I had the same problem on an Acer Notebook that came with this card pre-installed. If you cannot find the firmware in the hcd format (it's probably not legal to distribute on the internet, so I wouldn't be surprised if it's hard to find), but still have the windows driver CD that came with the laptop, you can convert the .hex file on there to the .hcd format. On the laptop I installed (BCM43142, 04ca:2009) the firmware was called BCM43142A0_001.001.011.0197.0211.hex on the windows CD. I used Jesse Sung's hex2hcd utility from https://github.com/jessesung/hex2hcd to convert, and moved it to the filename mentioned in the error message /lib/firmware/brcm/xxx.hcd - maybe that works for you too. d-devel readers: Would it be possible for Debian to distribute the resulting file as part of a broadcom firmware package? Firmware for their wireless lan chipsets is already distributed in a similar manner. Cheers, - Danny
Bug#820301: ITP: pytest-benchmark -- py.test fixture for benchmarking code
Package: wnpp Severity: wishlist Owner: Danny Edel * Package name: pytest-benchmark Version : 3.0.0 Upstream Author : Ionel Cristian Mărieș * URL : https://github.com/ionelmc/pytest-benchmark * License : BSD-2-Clause Programming Lang: Python Description : py.test fixture for benchmarking code This plugin provides a benchmark fixture. This fixture is a callable object that will benchmark any function passed to it. . It allows to save and compare timing data to detect speed regressions, and can output results as svg graphs. - I will coordinate with the python-modules-team (in CC) about how to maintain and upload the packaging.
